The concept of reading a 'password' from a keypad is conceptually very similar to the way serial port input is received, buffered and processed. I suggest you look at Nick Gammon's examples showing how to deal with serial port input.
In place of the Serial.available() and Serial.read() you would check for a keypress event and work out the ascii character code corresponding to the button that was pressed.
If you want to apply a timeout to the password entry then the approach would be to record the value of millis() when the password entry started, and then compare that with the value of millis() while you were waiting for the password entry to be completed. If the elapsed time exceeds your threshold then abandon the password entry and deal with the timeout as you see fit. The 'blink without delay' example sketch shows you exactly how to detect when an interval has elapsed and is more or less identical to the way you'd implement the timeout detection.